Firstly, I am attempting to get XP/OSX clients to connect to a 802.1x
WLAN provided by a cisco wlan controller. This is currently backed by
ACS and works, but i'd like to use FreeRADIUS is possible, with half
my users in LDAP and half in MySQL.
The setup uses PEAP, however am I correct in thinking that the RADIUS
server never touches any TLS components. The TLS tunnel is between
the WLAN controller and the client right?
Nope, the TLS tunnel starts at the client and ends at the Radius
server: that's why the radius server needs a certificate (see the
eap.conf file) and the client needs to check the radius server's
certificate.
Furthermore, I know I cannot use ldap authentication (binding) as a
result of the eap conversation,
True because PEAP implies a ms-chapv2 exchange that requires the
knowledge of the NT-Hash (ldap used as an authorization backend and not
an authentication module)
however can I store an NT-Hash in LDAP/MySQL for the mschapv2 module
to pick up and use? I'd prefer not to store clear text at all if
possible...
Yes for Ldap (see ldapattr.map) that maps the radius internal attribute
NT-Password to sambaNTPassword by default.
I have everything I need compiled and installed, but I'd like to know
whether or not I can achieve my goal before wasting a lot of my time.
Any pointers are thus greatly appreciated.
see doc/rlm_ldap
ldapattr.map configuration file
and the ldap section of radiusd.conf
HTH,
Thibault
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html